Compliance, cooperation, standards of care, and cybersecurity momentum.
The conference's morning CISO panel expressed clear consensus on the value of cooperation and collaboration in cybersecurity, even among businesses that in the ordinary course of things compete. The CISOs agreed that cybersecurity shouldn't be a competitive differentiator.
Cybersecurity problems are increasingly pervasive, and Northrop Grumman's Michael Papay called for an extension and generalization of security principles evolving as the Internet-of-things develops increasing resiliency. He argued that cybersecurity ought to be conceived as a distinct engineering discipline. His fellow panelists agreed that risk management is something engineers have long been familiar with, and that an engineering perspective in this regard would prove invaluable to cybersecurity in any economic sector.
Businesses and investors are still grappling with what constitutes a reasonable standard of care in cybersecurity. Josh Kram, of the US Chamber of Commerce, noted that Israel was increasingly buying into a version of the NIST Framework, and suggested that this Framework could make a significant contribution to the development of global norms. Papay commented on the growing importance of global data regulations.
Such regulations, and the compliance measures they require, was the topic of the conference's closing keynote, by Michael Adams, a partner at McGuireWoods LLP. He framed the problem with a discussion of Sony Pictures' experience of being hacked by the Guardians of Peace. He pointed out the importance of a well-thought-out, detailed incident response plan in limiting damage from a cyberattack.
He also argued that compliance risk could be turned to positive effect if it could be used to drive cybersecurity momentum. While highly prescriptive regulation has its downsides (for one, "it always chases technology," and for another it can create a false sense of security by defining away the problem) it can be used to help an organization mitigate its risks more generally conceived. The key, he said, is distinguishing baseline standards from effective standards. Compliance with the latter should be the organization's goal.